-
-
Notifications
You must be signed in to change notification settings - Fork 4
116 lines (100 loc) · 3.45 KB
/
kics.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
---
name: 'KICS'
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- 'main'
push:
branches:
- 'main'
workflow_dispatch: {}
schedule:
- cron: '43 18 * * 4'
permissions: 'read-all'
env:
# gitleaks image to use to check files prior to uploading them to prevent sensitive data being leaked
# yamllint disable rule:line-length
# renovate image dep:
gitleaks-image: 'ghcr.io/gitleaks/gitleaks:v8.21.2@sha256:0e99e8821643ea5b235718642b93bb32486af9c8162c8b8731f7cbdc951a7f46'
# yamllint enable rule:line-length
jobs:
analysis:
name: 'KICS analysis'
runs-on: 'ubuntu-24.04'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: 'write'
# Needed to publish results and get a badge (see publish_results below).
id-token: 'write'
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f' # v2.10.2
with:
egress-policy: 'block'
disable-sudo: true
allowed-endpoints: >
api.github.com:443
ghcr.io:443
github.com:443
kics.io:443
packages.wolfi.dev:443
pkg-containers.githubusercontent.com:443
registry.npmjs.org:443
- name: 'Checkout the repository'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # v4.2.2
with:
persist-credentials: false
- name: 'Create results directory'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
mkdir -p results
- name: 'Run KICS scan'
uses: 'checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16' # v2.1.3
with:
path: './'
output_path: 'results'
config_path: './kics.config'
output_formats: 'sarif'
- name: 'Scan results/resulits.sarif to ensure it contains no secrets'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
docker run -v ./results/results.sarif:/scan "${{ env.gitleaks-image }}" detect --source "/scan" --no-git || {
echo "ERROR: Secret found, failing workflow";
exit 1;
};
- name: 'Upload artifact'
uses: 'actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b' # v4.5.0
with:
name: 'SARIF file'
path: 'results/results.sarif'
retention-days: 5
- name: 'Upload to code-scanning'
uses: 'github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae' # v3.27.9
with:
sarif_file: 'results/results.sarif'
...